Slow SIM Security Delays NFC Mobile Payment Programs

Using SIM cards as a secure element for NFC mobile transactions is too slow for public transportation authorities such as Transport For London (TFL).

Looks like using SIM cards as a secure element for NFC mobile transactions is too slow for public transportation authorities such as Transport For London (TFL).

Smartcards are used by millions of people every day in cities around the world, and the contactless technology responsible for their operation is basically compatible with the NFC technology present in many smartphones today. In places such as Japan the Osaifu-Keitai system, jointly developed by Sony and NTT DoCoMo, allows passengers to use their mobile phones to pay for most forms of public transport.

Osaifu-Keitai system in Japan.

Customers want it, too. In a 2013 study by Accenture, three out of four transit users in major cities say electronic ticketing would make travel easier, and 90 percent of Barcelona's public transport users say they will use a ticketless solutions if a remote purchase system is available. Also, 76 percent of all respondents say that a ticketless mobile solution will encourage more car drivers to switch to public transport.

TFL has been rolling out terminals to allow travelers to pay with their new contactless debit and credit cards alongside their smart Oyster cards, and possibly NFC smartphones. Travelers have been able to use contactless credit cards in London buses for a while, and later this year they’ll be able to use them on the Tube, tram, Dockland Light Railway, London Overground and most National Rail services in London.

So, if NFC solutions are compatible, secure and easy to use, why it is not possible to pay with a smartphone for public transport in London yet? There are basically two reasons:

Operator’s greed: This is the most important issue, and I have written extensively about it. The operators are determined to control the mobile payments ecosystem and have been aggressively asking handset manufacturers to drop the NFC secure element. Also they are actively creating their own mobile wallets, securing bank and credit card agreements, and blocking open solutions such as Google Wallet on their networks.

Transaction speed: This is the basic concern of transit operators such as TFL. Using the operators’ SIM cards as secure elements is not fast enough for the “Tube.” TFL wants each transaction to be processed in no more than 500 milliseconds, something achievable with contactless credit cards but problematic with NFC smartphones. The half-second transaction time is critical for the Tube, where millions of travelers quickly pass through access gates, especially at rush hour.

Why is SIM based security slower? It should not be, according to Pedro Martinez head of the NFC knowledge center at NXP. “There’s no reason for SIM security to be slower than contactless cards. It all depends on the software implementation by the operator,” Martinez told me in an interview. “A SIM card is a microprocessor that can handle the transaction properly and fast.” But the security layers and the additional information operators want to collect might have some impact.

Shashi Verma, director of customer experience for Transport for London, said that TFL successfully tested mobile access using a Nokia handset in 2007, but Verma says that “industry changes since then to switch the secure element from the phone to the SIM has slowed the read speed down to above the 500 millisecond cut-off point.” TfL's own Oyster cards operate at a read speed of 300 milliseconds.

Washington DC and Chicago recently announced that they are planning contactless mobile payments for their transit systems. In the case of Washington, NFC is already in use with smartcards, making the transition simpler.

Transit authorities and users clearly want to have mobile payments for public transportation. It is convenient, cheaper and can save cities much of the cost of handling cash and maintaining ticket machines. The technology is already here. It is proven and it can be implemented. We just need to streamline the solution to make it happen.

— Pablo Valerio is a freelance blogger who writes about mobile and telecom issues for EE Times. He lives and works in Barcelona.

For a short time the USA credit card companies were automatically sending NFC-based cards. Everyone I know that received one watched as I used an Arduino and cloned it. Then they sent the card back requesting the safer cards without the silicon-based security hole (called NFC).

SIMs have been more secure than NFC for quite some time. So, I assert that the the need for improved security should be to bar the ability for attack by a script-kiddie with $30 worth of equipment (or an Android phone now - see Electronic Pickpocket app at Play store - Free).

While many might like the speed and convenience of ticketless payments, lots of people are worried about the security aspects. Witness, for example, all the adverts for wallets and passport covers that act as NFC shields. The idea of having a payment card that broadcasts my account details makes me very concerned!

The idea of a single card (or device) that authenticates my payments is all very good, provided that it cannot be cloned, it stops working if it is lost or stolen (and I can get a replacement very quickly, even if abroad), and it does not reveal information about me beyond that which is necessary for the transaction. A tall order!

There is also the issue of how the information about payments is stored and used. If I contact my mobile phone operator, my identity is validated by easily-discoverable information... and a PIN which can be discovered by many employees. I do not call this secure, so entrusting more information to them does not seem wise. basically, all 'security' and 'trust' seems to run one way, so it seems sensible to limit ones vulnerability until systems offering mutual trust are put in place.

@ip2design, I agree with you. There is no reason for SIM based security to be slower. But the security layers implemented by the service providers --and mostly by the SIM system integrators-- have serious implications on speed.

Looks like TfL and other transit authorities have been working closer with cell companies and system integrators and the issue is being resolved.

We all know that NFC-SIMs and embedded Secure Elements are fast enough to perform access control the right way at the right speed. Most of the ICs are now based on 32-bit core running at 30MHz with hardware crypto and secure OS.So, there may be some tricks to optimize the solution.